Topics:  Free MS ebooks, Xamarin podcast, cloud server in 55 sec., squash your PNGs, Heartbleed fallout, RDP from Android.

• Former co-worker @_Shakeel passed along some free e-books being offered by Microsoft Virtual Academy.
• @munificentbob announced his free online book, Game Programming Patterns.
• I keep finding more and more Xamarin community resources. This week it was their podcast on SoundCloud.
• Also, useful for cross-platform development: Notes on Using Various PCL Profiles with Xamarin (via @WindowsAppDev)
• Cloud hosting service DigitalOcean advertises you can spin up a new “droplet” (i.e. VM) in 55 seconds, and has what looks to be a pretty reasonable pricing structure.
• Do you know what your TRAQ score is? Online comic Devil’s Panties (“not satanic porn!”) has a good write up about their ad revenue tanking after improperly getting flagged as an adult site.
• If you’re working on web pages be sure to check out these handy CSS tips.
• In the wake of Heartbleed the OpenBSD community is refactoring OpenSSL “one arcane VMS hack at a time.” (via Dan)
• Meanwhile, a security firm reports many Android apps (mostly games) are vulnerable to Heartbleed and most scanning apps are doing it wrong, but don’t tell us which ones are doing it right. (via Re/Code)

Tools, etc.

• Color Scheme Designer is a great online tool for generating/exploring color palettes.
• And while we’re talking design, Scott Hanselman reminds us to squish our image files – Trimage is a handy app to do that on Linux, Windows and Mac.
• Did you know Google has a Remote Desktop tool for Chrome? Well, now it’s available for Android too.

Projects, etc.

• Less than 30 days left in the FoodStats app fundraiser. We’re at $250 now. Pledge as little as a $1 or as much as you feel like – every little bit helps. Or just help spread the word: Use the share buttons on the campaign site or give this easier-to-remember URL to friends, family and those who might be interested: http://tiny.cc/foodstats
• Released an initial alpha version of Commit Message Editor – a simple, cross-platform GUI editor for commit messages in Git. The goal is to provide a light-weight editor with key features useful for writing commit messages. (This was a request from my friend and former co-worker Jonathan.)

Topics: Telecommuting tips, Heartbleed tools, the end of crapware?, Git tutorials, free education, ideas into products, humanize numbers, better Datetimes, a Git GUI.

• The Pluralsight blog has some good tips for those working from home.
• If you’ve been under a rock and haven’t heard, make sure you’ve updated OpenSSL on all your computers.
  • If you’re a LastPass user, they now have a report that will tell you which of the sites you have accounts on have patched the bug.
  • GRC (host of the Security Now podcast) has an online tool that will tell you if your browser is properly recognizing revoked SSL certificates.
• SweetLabs is working with PC vendors to replace OEM-installed crapware with a recommendation-based app store solution, letting developers sell their apps directly.
• The fledgeling OneGet community has apparently pushed to get the repository moved to Github. (via @fearthecowboy)
• Discovered that Atlassian has a nice set of Git tutorials and resources online.
• The Free Technology Academy offers free education in “Free Software, Standards and Hardware“.
• Local developer @EliThompson passed along an interesting new guide coming out soon: How to Transform Ideas into Software Products from Femgineer. Sign up to be notified when the guide is published and you can participate in a free e-mail course to get feedback on your idea.

Tools, etc.

• Wow. Humanizer is a .NET library that provides a mind-boggling array of ways to convert “strings, enums, dates, times, timespans, numbers and quantities” into more human-friendly text. (via Scott Hanselman)
• Scott also recommends Noda Time as a better library than what’s provided with the .NET Framework.
• Looking for a GUI for Git and/or Mercurial? Source Tree is a free download from Atlassian.

Projects, etc.

• Working on something, which I hope to announce the next day or two. Stay tuned….

• My friend Dan recently asked
  

  Has anyone already written the code to use the AVR on the Gertboard for the Raspberry Pi as a simple GPIO expansion/demux?

  I don’t have an answer for him, but maybe you do, or know somebody who does?

• Seattle to sport one of the first Bitcoin ATMs in the U.S.
• SQRL (Secure Quick Reliable Login) – from Steve Gibson, the host of Security Now – aims to replace username/password login for websites. This is an open project, being worked on by Steve along with fans and followers.
• I’ve used Console2, and fairly recently heard about clink and ConEmu, but sweet monkey sundae! I finally saw a screencast of ConEmu in action. Must start using this!

Tools I’ve recently started using

• Chocolatey is an attempt at a package manager, kind of like apt-get (and I stress kind of), for Windows software. It’s still a bit rough around the edges, but I’ve been using it to help ensure my tools are up to date.
• A few of us at work have been using meetings.io when working from home and I like it enough that I’ve recently decided to go ahead and sign up for an account – which gives me a profile page, vanity URL and personal meeting room.  You can still use the service without signing up, however.

Projects, coding, etc.

• Published gist of a DataParameter implementation for ADO.NET. (C#)
• Began work on replacing CtcApi unit test code with database mocks. (C#)
• Submitted class to measure time elapsed for code execution to the CtcApi. (C#)

I’m going to try something new, in an effort to both share things I find out about and write more. Each week I’ll compile a list of cool and/or useful tools, information, tips, etc. and post them here each Friday:

• Listened to a great Hanselminutes podcast interview with Model View Culture – A new media platform covering Technology, Culture, and Diversity.
• Venn diagrams of SQL JOINs. (via @jamesthigpen via @ShawnWildermuth)
• Scott Hanselman also has a good overview of things you shouldn’t be doing, or doing any more, in ASP.NET.
• Did you know that Github will show geo data as maps? And that now you can look at diffs of the committed data to see how the map changes over time?
• Is your government on Github?

Tools

• Windows Firewall Control – more and better control over the firewall built into Windows. (via Security Now, ep 441)
• Need to search a Github wiki? (Searches on Github don’t include wiki content.) There’s an extension for that. (via Stackoverflow)
• Network Monitor Mini for Android floats a minimalist upload/download speed widget on your screen.
• Need a multi-functional calculator? //web2.0calc.com has got you covered. (via @SGgrc)

Wired columnist Mat Honan recently published an article detailing how his iPhone, iPad and laptop were all wiped clean – just because some hackers wanted to get control of his “cool” 3-letter Twitter handle; @mat. Since coming out, Mat’s story has been the talk of the tech news circuit. The Security Now podcast even postponed its normal schedule to dedicate an entire episode to discussing Mat’s experience.

Mat has done an excellent job telling his story, including acknowledging his own mistakes that contributed to the hackers’ ability to take over his digital life. And many others have added their thoughts, but most of the discussion has been quite long and can be difficult to parse for the average person. I’d like to take a moment to call out the 3 key lessons I feel we can take away from what happened to Mat:

1. The myth that you “don’t have anything worth stealing“

I hear this frequently when I talk to people about adopting better security practices. The concept goes something like this:

I don’t keep any of my financial information on my computer. I’m nobody important. There’s nothing of value to anybody else on my computer.

And it’s completely wrong. The hackers who deleted Mat’s only pictures of his daughter didn’t care about his memories – they just wanted his Twitter account. Why? Because they thought an account with so few letters was cool. I’m willing to bet Mat never thought his account was valuable enough to be worth stealing either.

The truth is; if you have a computer you have something of value to hackers. If nothing else, the computer itself is something they can use. Once they gain control of it they can use your PC to attack other computers, run software to crack passwords, pretend to be you, etc, etc.

2. Trust. No. One.

If you listen to people who talk about security and privacy you will eventually hear the acronym T.N.O: Trust no one. It might sound paranoid, but in reality it’s just common sense. Obviously, we must trust others to a certain extent or we would never be able to make it through the day. The idea of T.N.O., however, is awareness. Every day we are enjoined by websites, startups, corporations, ads, etc. to

“Sign up now!“

“Link to your Facebook account!“

“Upload your address book so we can find your friends!“

Technology is a wonderful thing. It has the ability to give us unprecendented freedom to learn and see and create. But freedom comes with a price – responsibility. No matter how well intentioned the site you’re giving your information may be, no matter how much you may trust them, accidents can and will happen. T.N.O. says

1. Think seriously about whether you really want or need to provide this information.
2. What are the consequences when – not if – they lose control of this information?
3. What can you do to maintain control and/or protect yourself?

It’s all about control. Are you willing to give up control of your personal information? Your identity? If not, then make sure you take steps to protect it.

3. Back up your stuff

This one has been mentioned in almost every discussion of the Wired article, and even by Mat himself, but it’s important enough that it bears repeating. No excuses. If you’re not already doing so, establish a regular backup routine. Ideally, follow the 3-2-1 rule:

• 3 copies
• on at least 2 different types of storage (hard drive, online, CD/DVD, The Cloud, etc.)
• with 1 copy off-site (online, at a family member’s house, etc.)

Backing up your data speaks to numbers 2 and 3 under Trust. No. One. above: If you do lose control of everything can you get it back?

Be responsible

As some have noted, it’s important to note that the hackers who broke into Mat’s phone, computer and accounts did not crack his passwords. The techniques they used were all social engineering – they convinced support personnel that they were the rightful owners of Mat’s accounts. While having a strong password, and a different password for each separate account, is important protecting ourselves doesn’t stop there.

Just as you prepare for a potential earthquake, tornado or hurricane make sure you’ve prepared for the hacker that makes it past the harried tech support employee who maybe didn’t sleep well the night before.

I recently had a discussion with a co-worker regarding physical security. Our two departments share a small building with 9 offices. Each of us has a key to the building, a key to our own office, and a key to a shared storage room nearby. This co-worker was gathering feedback for a proposal he was putting together with the following goals:

• Reduce the number of keys we have to carry.
• Potentially provide access to both the building and the offices with a single key (for each employee).
• Increase access to resources by having more people able to gain access to more spaces.  (For example; getting a book from the office of a co-worker that is on vacation.)

During our conversation, my co-worker requested that I stop being so abstract in my arguments and address more factual, concrete ideas of what could (or might) actually happen. The more I thought about it in the days following our conversation, the more I realized:

This is a common mistake when thinking about security.

It’s natural to want to better understand the threat by thinking in terms of real threats that need to be protected against, but what security researchers now know is that doing so puts us at a significant disadvantage.  If we’re focusing only on concrete, defined scenarios we are limiting ourselves to what is known (or can be guessed). Are you sure you considered every scenario a potential attacker might possibly come up with? Did you take into account every possible new technology/standard/practice? How about every policy change your organization might implement? History has shown us that even if your security measures start out ahead, this approach 1) will eventually be compromised by something you didn’t think of, and 2) quickly becomes reactionary – where you find yourself implementing new security measures in response to new exploits as they are discovered.

Follow established Best Practices.

Rather than relying on a never-ending game of cat-and-mouse (where each side is constantly one-upping the other) modern security efforts attempt to follow established security practices that are known to provide protection by their very design – regardless of the type of attack that might be leveraged against them. With this recent discussion around physical security fresh in my mind, I thought I’d take a moment to talk about a couple of those best practices. This by no means an exhaustive list, and if you’d like to know more I highly recommend the podcast Security Now (which also has transcripts, if you’d rather read than listen).

Security In Depth

The phrase security in depth is a paraphrasing of the NSA‘s defense in depth approach and refers to having layers of security. Frequently, I hear people say things like; “We don’t need to encrypt account information because our servers are behind a firewall”. Relying on a single security measure means you have a single point of failure. If that mechanism ever fails or is compromised – and statistically, the chances are it will be at some point – then all bets are off. Similarly, new attacks could be developed which bypass the firewall by being completely valid network traffic.

Security in depth means wearing a belt and suspenders – if one fails, your pants still stay up. Classic medieval castles are another great example of security in depth:

1. A moat.
2. The wall.
3. Often, the streets inside a castle would be zig-zag so they wouldn’t provide a straight path to the palace at the center.
4. An inner wall.

Somebody, someday will break in eventually – so you want to make it as difficult and time-consuming as possible to get to the valuable stuff. In the case of our offices, this is accomplished by both the building and the offices having doors – each with their own key.

Now, you may be thinking (as my co-worker was) that having two keys for two doors won’t offer any more protection if a thief steals my entire keyring, leaving him with both keys. That’s absolutely a fair point. But recall that it only addresses one scenario where keys might be compromised. What if I’m in an accident, the keys from my ring are strewn across the road, and a bystander surreptitiously picks one of them up? What if I leave my keys sitting out somewhere and a potential attacker makes a quick imprint of one? What about the potential scenarios I haven’t even considered?

Furthermore, there’s the problem that that one key could (potentially) open all of the offices – which brings us to…

Compartmentalization

When things are separated from each other, each in their own compartment, we say that they are compartmentalized. In a security context this typically also means that each compartment is isolated from the others. The benefit here is that if one is compromised the attacker doesn’t automatically gain access to the others. In the building/office scenario above, this means

• A thief would only have access to the building and the office of the employee they stole the key(s) from.
• A disgruntled employee would only have access to their own office.
• The chances of a co-worker entering an office while the occupant is changing, or engaged in a private phone call are greatly minimized.

Certainly, we can scoff at some of these examples – say they’re extreme, not likely to happen, or that we can do other things to prevent them (like knocking on an office door before entering). But the point is; what of the scenarios we haven’t thought of? What about social engineering techniques that would never occur to us?

Modern security best practices shift the focus from trying to anticipate what kinds of attacks we might see to a more holistic approach that seeks to create an environment which naturally resists attacks.

Steve Gibson, the host of Security Now, has published a new freeware tool; DNS Benchmark.  Like all of Steve’s freeware, it’s a stand-alone executable (great for USB drives) and is very compact – at less than 200k.

I haven’t tried out this final release, but did experiment with an early version.  It’s a great tool for power users and/or anyone maintaining a network.  The primary purpose of DNS Benchmark is to provide speed tests and other information about publicly available Domain Name Servers, since the ones you’re using now may not provide the fastest or most secure service.